Educause Security Discussion mailing list archives

FW: Server-Gateway Cryptography SSL Certificates....are they needed?

From: "Mercer, Susan" <smercer () EDMC EDU>
Date: Thu, 23 Feb 2006 14:42:05 -0500

 

Hello - 

 

We are implementing a new online admissions application that will store
applicant's Social Security numbers.  We will also require our
applicants to pay their application fee via credit card or e-check
before they submit the application.  We will be using Verisign Payment
Services (recently sold to paypal) for the payment transaction, and we
will NOT be storing credit card or bank account details in our database.

 

We've also been talking to VeriSign about SSL certificates because we
want the entire online session to be secure.  They are trying to upsell
us from the "standard" SSL certificate to one that uses Server-Gateway
Cryptography (SGC).  They claim that standard SSL certificates do not
guarantee 128-bit encryption, due to operating system issues.  According
to their report, users on Windows 2000 (without SP4) and Windows 98 will
get 40-bit or 56-bit encryption for their SSL connections.  They also
claim that 40-bit encryption can be hacked by brute force within
seconds, and 56-bit can be hacked within days.

 

Of course, the cost for SGC SSL certificates is 3 times the cost of the
regular ones ($999/yr vs $349/yr).

 

I don't know that much about security, so I thought I would ask the
group.

*         Are their claims valid about 40-bit and 56-bit encryption?

*         Can those really be hacked by brute force that quickly?

*         How much of a risk is it to go with a standard SSL
certificate?

*         Does anyone else out there use SGC SSL Certificates?

 

Any guidance is appreciated.  

 

Thank you,

Susan

 

Susan Mercer | EDMC Online Higher Education 

Web Producer - Student Services

1400 Penn Avenue| Pittsburgh, PA 15222-4332

Office: 412-995-2937 | Cell: 412-327-9423


===================================================================================
CONFIDENTIALITY NOTICE: This email and any files transmitted with it are confidential and intended solely for the use 
of the individual or entity to which they are addressed.  If you are not the intended recipient, you may not review, 
copy or distribute this message.  If you have received this email in error, please notify the sender immediately and 
delete the original message.  Neither the sender nor the company for which he or she works accepts any liability for 
any damage caused by any virus transmitted by this email.
===================================================================================

Current thread:

FW: Server-Gateway Cryptography SSL Certificates....are they needed? Mercer, Susan (Feb 23)
- <Possible follow-ups>
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Gibbs, Aaron M. (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Christopher E. Cramer (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Graham Toal (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? David LaPorte (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Mark Newman (Feb 24)